In recent years, development of cloud computing led to wide application of a virtualization technology that serves as one of basic support technologies of cloud computing. Multiple virtual machines may simultaneously run on one physical host by using the virtualization technology. In this way, a resource utilization rate and resource allocation flexibility may be improved. However, a security risk is also caused at the same time. When a vulnerability of one virtual machine affects a virtual machine monitor (VMM) at a bottom layer, other virtual machines on a same physical host as the virtual machine are all affected.
Currently, a physical host in a common Xen virtualization system includes two key components: a Hypervisor (a virtual machine manager) and a domain-0 (a management virtual machine of a Xen platform). A great number of vulnerabilities generally occur in code of the domain-0; therefore, to prevent a vulnerability of one virtual machine from affecting other virtual machines on a physical host on which the virtual machine is located, isolating the domain-0 and ensuring security of the domain-0 has become an urgent problem to be resolved.
In the prior art, some service components of a domain-0 may be removed from the domain-0, and the service components may be placed into other different independent virtual machines to run, so that the service components in the domain-0 are isolated from each other, thereby ensuring security of the domain-0.
However, in the foregoing method of ensuring the security of the domain-0 by using different virtual machines: on one hand, a manner of communication between some service components in the domain-0 changes from original interprocess communication into inter-virtual machine communication, thereby deteriorating performance of communication between the service components, and requiring more resources for running a virtual machine; and on the other hand, a level of a service component is not involved, resulting in relatively low security of the service components in the domain-0.